Slashdot Mirror
FBI Remotely Installs Spyware to Trace Bomb Threat
cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."
... FBI (and some if-it-will-save-one-child-it-is-worth-it legislators) demand all the OS vendors to install backdoors so that it can come in and install whatever spyware it wants to be installed?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
My guess is that nothing quite so sophisticated was necessary since the user downloaded and ran an unknown attachment from an email message
...where does it say that the guy even had any kind of AV software on his computer?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Would it even be necessary to compromise security vendors? While heuristics and malware detection has been something long promised, it is my understanding that the vast majority of security software works purely by comparing against their dictionary of known attacks. If the police have highly specialized, very limited deployment spyware, it seems that most security software wouldn't have any inkling that it's malware in the first place.
I have no doubt that organized crime and government agencies are aware of and abusing exploits. Given that they don't blast it to the world like a giddy teenager looking for attention, no one knows what to look for.
From: spyware@fbi.gov
Subject: Click here for free movies!
Attachment: not_spyware.exe
Hello! You have been selected to receive free movies at no cost to you! All you have to do is install the attached program to start downloading all the latest Hollywood hits free of charge!
"Thank you. You just made hacking a whole lot easier."
The Germans already proposed something like that. It was retracted when they realized that it pretty much opens the door to any kind of espionage, and that this could quickly turn AGAINST them.
No backdoor is secure. Word will get out and it will be abused. Worse yet, if you force AV and firewall manufacturers to keep that hole unplugged, you open yourself and all the businesses in your country to industrial sabotage and espionage.
Think the feds are THAT stupid? Even if, do you think their lobbyists will allow them to?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Something seems fishy about the whole story, though. This guy was apparently savvy enough to use a proxy in Italy to send his Gmail bomb threat emails, so he was at least trying to cover his tracks... But he was dumb enough to open a random email attachment? It strikes me as more likely that the CIPAV is deployed through a browser exploit (or perhaps even "legitimately" as an ActiveX control or BHO, people will install anything).
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I keep re-reading my Constitution, and I don't see where it allows for a police power for the Federal government to go after bomb threats or any similar crime.
Is a bomb threat considered piracy?
Is a bomb threat considered treason?
Is a bomb threat considered counterfeiting?
If it isn't, there is NO Federal allocation of power to go after bomb threats, period. What the FBI is doing is not just unconstitutional, but any political leader who took an oath to uphold the Constitution is violating the only oath they took.
It is time that the residents and citizens of the United States of America ask where the government has gotten these powers from. I know that many of the previous generation is afraid of terrorist attacks, but we are all being attacked already in having our natural rights taken away from the very government that has one major purpose: to protect us from the State who wants to take those rights away.
It is fairly simple. The FBI has no provision in the Constitution, nor in any Amendments to said Constitution, and should just go away. Let the local State police force worry about bomb threats. If it happens from across State lines, let both State police forces work together.
Or, rather, you only hear about the stupid ones.
The smart ones do not get caught.
Peace sells, but who's buying?
They think this guy really did it! I fooled 'em good!
How much is your data worth? Back it up now.
We have: A teenager who used his computer to send bomb threats through myspace.
Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.
Assumption 2: The FBI keeps a hole open in Windows that only they know about.
Assumption 3: AV vendors are forced to keep holes open, as well as firewall vendors and everyone else who could technically find it.
Assumption 2 and 3 bear a heavy load. Assumption 2 implies that EVERY Windows OS can be remotely exploited. Now, it IS possible to reverse Windows. And since there are Windows emulators out there that can handle calls to functions most people don't even know exists, it's safe to assume that quite a few people already reversed some parts of Windows. A hole would have been found by now. More important, such a hole could easily be used against US companies when, say, China finds them and uses it to eavesdrop on confidential data. If such a hole existed, the first thing the FBI would do is make sure that no US company dealing with critical or sensitive information (nuclear, biological, you name it) uses Windows as their main operating system.
Thus I consider it rather unlikely.
Assumption 3 includes that every AV vendor on this planet knows about the hole/malware and keeps his mouth shut. Now, a good deal of such AV vendors sit in countries that are not the US, worse, some of those countries are economical competitors to the US. Think they'll keep silent? Or that they would include it into their software? Hardly likely.
I'd stay with assumption 1: He was careless, clicking on everything and running no AV kit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Neither. In the current security climate most security vendors will bend over straight away and turn a blind eye on an "authorised" Troyan. In fact at least one of the US ones is known to have done so and that was leaked to the press around 2004 (sorry forgot which one). Even further, I would not be surprised if some of them go as far as "facilitating" its installation.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Congress does a lot of things that are not authorized in the Constitution..Social Security, Department of Education, and on and on. Many of them are "good" things. Personally, I heard a suggestion a couple of years ago that I think would be a great idea: before Congress can consider any Bill, it must contain a clause which states where in the Constitution Congress is given the authority to legislate on this particular topic. This would eliminate a lot of laws from even being considered and make it easier to determine the Constitutionality of a law. If said clause of the Constitution does not actually extend said authority, the judge can readily declare it unconstitutional and if Congress wants to authorize it based on some other clause of the Constitution, they can start over.
The truth is that all men having power ought to be mistrusted. James Madison
You are wrong about constitutionally protected speech when it can cause harm or mass hysteria. That is NOT protected.
At the Federal level it surely is, regardless of what the Supreme Court wrongfully interpreted. Let us read a very simple part of the Constitution, a document written specifically to declare what the Federal Government can do, and what it is restricted from doing:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
As you can see, no law means no law. Harm, mass hysteria, are issues that have been with man since the dawn of man. They were nothing new to the Founding Fathers who knew that government uses the idea of "mass hysteria" to harm natural rights. They left those issues to the People and the Individual States.
I'm curious how the 2nd would protect against airline hijacking though.
Airplanes are private property. Private owners should be free to allow, or disallow, armed passengers. In fact, the United States airlines DID allow armed passengers until the Federal Government unconstitutionally prevented people from carrying their weapons on-board planes. Show me one terrorist who would dare to threaten hijacking on a plane where half the passengers are armed and trained and protecting themselves. In all the years people armed themselves on airliners, we had no issues with terrorism in the States.
I know this site is a big echo chamber but the simple fact of the matter is Federal law enforcement coordinates very closely with every computer vendor that has anything of interest to them. The coordination efforts are expressly for purposes like this. I seem to recall photochop will throw an error if you try to scan U.S. currency. It's like that, only everywhere and no error messages.
/. moral outrage rings very hollow because no one will fight for anything different.
Law enforcement is very deep into every aspect of computer activity. It's been this way for more than a decade.
The
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
s/pay/blackmail
There, fixed that for you.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I support surveillance by law enforcement agencies. I also believe in fairly stiff penalties for breaking the law (though I would add that I feel that harsher penalties for real crimes should be balanced with reducing the breadth of behavior that the government restricts). However, I am opposed to the use of spyware on the suspect's property for such surveillance. Why this conundrum?
The problem is that technology is getting closer to us all the time. The barrier between man and machine is becoming much narrower. And that is a good thing. At the far end of the spectrum people have long been getting artificial hearing enhancers, and now we are starting on intelligent artificial eyes and limbs. People with epilepsy are getting electronics embedded in their brains. At the nearer end of the spectrum, a large percentage of the population now carries a small computer with them everywhere (their cell phone). The man/machine split is disappearing.
So what? Well, we have a problem developing if the government assumes that anything that does not have your genome is fair game for them to crack. Today it is the suspect's computer. This already poses a problem if the suspect is, for example, engaged in legitimate contracting for some corporation - should the government have the right to compromise the security of that corporation because one of their employees is breaking the law?
But what of the more tightly coupled technology? Should the government be allowed to plant a bug in my hearing aid? Should they be allowed to tap the signals coming from my artificial eyes? Should they be allowed to monitor the same brain activity patterns that my seizure mitigating device monitors?
The problem is that we are becoming more closely coupled with technology, and that is a good thing. We are the first species in history to actively engage in our own evolution. But if we cannot trust our technology, it creates a barrier to that evolutionary step. I have the right not to self-incriminate. But if a computer is part of me, where does the line get drawn?
Stop-Prism.org: Opt Out of Surveillance
Declan not only ripped this story off from Wired without attribution, he got it wrong. There's no way the police could have emailed the tracking software to the kid as an attachment. Myspace doesn't allow attachments. Want to see the real story with real reporting: try the original story here: http://www.wired.com/politics/law/news/2007/07/fbi _spyware
... FBI (and some if-it-will-save-one-child-it-is-worth-it legislators) demand all the OS vendors to install backdoors so that it can come in and install whatever spyware it wants to be installed?
Where have you been?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If your version of file can't tell the difference between an MS-DOS executable and a Windows PE binary then you might want to consider upgrading, as it's almost certainly a good 15 years out of date.
I am TheRaven on Soylent News
http://en.wikipedia.org/wiki/NSAKEY is a good primer.
It was covered extensively at the time by the likes of Bruce Schneier and others, his comments said:I think the jury is still out on exactly what was really going on; if it was an NSA backdoor, it was a pretty boneheaded one. Alternately, if it was just Microsoft being redundant, then it shows that they didn't plan very well and don't seem to understand security very well. Given the choice between the two, I think boneheadedness on MS's part is more likely.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Too much info has been released and I can explain what is occurring right now. This is not speculation.
- E-mail account made at a foreign e-mail hosting site that has an extremely terse address so as not to be hit by spambots (i.e. 4433dakjikk83726jj@somewhere.org)
- E-mails are sent from a stolen laptop through a public wireless access point that are copycats of this crime to illicit the same FBI response.
- E-mails are then checked each day from different public access points each day using a different MAC address at each access point. [The only e-mail that should be coming into this account would be the one from the FBI. Probably easy to verify by checking DNS records of the e-mails originating IP or IP block.]
- E-mail is received and copied to disk.
- Laptop is destroyed.
- CD with e-mail is then analyzed on a Linux/Unix machine that has no internet connection.
- Backdoor/exploit vector is discovered and used for "other" purposes.
The warrant isn't really the point. The point is that they have the tech to get past firewalls and antivirus software, and can plant spyware on your machine. This time it was legal, because the FBI got the warrant. But what about the CIA/NSA/RIAA using the same tech to spy on you? Some government agencies don't need warrants.
When our name is on the back of your car, we're behind you all the way!
Reduce, reuse, cycle
The answer is right in front of you. Governments and spy shops pay for exploits before they're made public, so they can use them to enter your machine as they need to. In this case, we don't know how CIPAV was delivered, but it might be as simple as an undiscovered exploit in Outlook or a browser-based email system. While none of us trust government, I equally don't trust my fellow citizens, so the "ethics" of this point are moot.
technical writing / development
But what if you (as any sensible person would do) simply block anything that is executable from being received via mail?
How Does the CIPAV Work?
^..^
After Sept 11. the FBI etc have PR issues trying to convince the world that they are on the ball and protecting Joe Citizen. These sorts of statement are not necessarily true. They could just be "feel good" measures like making you take your shoes off at airports.
Engineering is the art of compromise.
But posts like this really irk me.
What exactly do you want?They got a warrant. Isn't that kind of oversight what we want? I don't understand why you think making a comparison to the Gestapo (and did they really have warrants?) adds a single thing to the conversation.
Please tell me what your solution is, so I can put your comment in some kind of context. I've seen it and its like from several other posters, but not a single one of them goes on to make a coherent argument after making it, and neither did you.
The FBI has a job, in this case it seems a job that we'd all like them to be proficient at, that of preventing bombings. They pursued evidence through the correct channels, got a warrant, set up an operation, and did their jobs. In light of that, doesn't the "Gestapo" comment seem a bit reactionary and irrational?
So what the hell is with the specious Gestapo comparison? Do you think someone's rights were violated somehow, or the FBI overstepped their authority, or what exactly? Or is it vogue here to toss out inflammatory comments for no reason other than to provoke a reaction? I thought that's what the "troll" mod was for?
Lastly, the Gestapo also pandered to the fears and insecurities of the populace, so I'd be careful throwing around such comparisons if I were you.
I only go to buffets for the unlimited soft serve.
From the summary:
A MySpace account linked to bomb threats sent to a high school.
Chances of this system being secure, updated, well-managed? 0
Chances of this system being a Gateway laptop that takes 10 minutes to boot, loads 5 IM apps on startup, has 4 different IE toolbars, and constantly warns that the Norton Antivirus subscription lapsed 16 months ago? Our survey says yes!
Ever heard of a rootkit? Those are installed every day without a single peep from an up-to-date AV scanner. Hell, I've got a book on creating them right now that has an example that has managed to bypass Avira and AVG. And that's just example code.
0x09F911029D74E35BD84156C5635688C0